This month there was CVE-2015-1635 on the menu for the Patch Tuesday. Microsoft released the security bulletin MS15-034 (KB3042553) to address the vulnerability in HTTP.sys.
On the main TechNet page for April 2015, there’s the risk assessment for this vulnerability:
|Bulletin ID:||Vulnerability Title:||CVE ID:||Exploitability Assessment for
Latest Software Release:
|Exploitability Assessment for
Older Software Release:
|Denial of Service
|MS15-034||HTTP.sys Remote Code Execution Vulnerability||CVE-2015-1635||1 - Exploitation More Likely||1 - Exploitation More Likely||Permanent||(None)|
Microsoft has its own Exploitability index and 1 means:
This rating means our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created. As such, customers who have reviewed the security bulletin and determined its applicability within their environment could treat this with a higher priority.
One of the key task when doing patch management is to review what the editor officially says, assess the risk of your assets in your own environment and monitor both the good and the bad guys on the Internet to prioritize your deployment and assess how easy and how fast the vulnerability is exploited, weaponized…
There’s a formula to assess the risk on Wikipedia
R (the Risk) can be function of four factors:
A = Value of the assets
T = the likelihood of the threat
V = the nature of vulnerability i.e. the likelihood that can be exploited (proportional to the potential benefit for the attacker and inversely proportional to the cost of exploitation)
I = the likely impact, the extent of the harm
That said, let’s dive into CVE-2015-1635.
The MS15-034 only mentions IIS in the workaround section of the bulletin and quickly states that disabling IIS kernel caching is a workaround. That was a very short statement.
The bulletin makes it clear that this is not a vulnerability of IIS, it’s a vulnerability of HTTP.sys. Let’s see the link between IIS and HTTP.sys:
It’s not the first time HTTP.sys is vulnerable. We had formerly MS13-039, MS10-040
There’s even an obsolete knowledge base article that listed the hotfixes available for HTTP.sys but it wasn’t reviewed since November 9, 2011!
There are other components that are built on top of HTTP.sys like the WSMan protocol, so I posted the following message on twitter yesterday.
There was a buzz or panic about it. My tweet may have been misinterpreted and many probably wondered whether PSRemoting and WSMan were impacted by this vulnerability.
My goal with this tweet was:
Let’s pay attention to MS15-034 this month.
It will for sure require all your attention.
IIS and other components depend on http.sys. That’s why I joined the above image, I’ve got from this page about troubleshooting WinRM.
I didn’t say that PSRemoting or WSMan are proven to be vulnerable to the specific CVE-2015-1635 vulnerability.
Based on my tweet, if you thought that PSRemoting is vulnerable because of CVE-2015-1635, you’re wrong.
Lee Holmes from the Microsoft Windows PowerShell Team clearly said later on that:
This means that the vulnerable portion of code in https.sys that got fixed is directly linked to services that use the kernel mode caching feature.
WinRM and WSMan don’t rely/depend on this portion of code.
I was right about paying attention to MS15-034.
It’s actually easy to trigger a denial of service (DoS) against IIS computers that have kernel mode caching enabled.
Things are moving fast. In less than 48 hours after MS15-034 was published, there are already active exploits in the wild.
See https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/ for more information.